Comodo's SSL Certification Attack Only One Step in a Larger Attack

The attack that resulted in valid SSL certificates being issued for Microsoft, Google, Yahoo, Skype and Mozilla sites was only a step in a multilayered attack to steal information or spread malware, security experts say.

The Secure Sockets
Layer certificates that were issued fraudulently for five popular Websites were
only a step in a multipronged attack by those aiming to steal information or
distribute malware, according to security experts.
Attackers
impersonating a Comodo Security partner managed to request nine
valid digital certificates for seven domains belonging to popular Websites, including
Microsoft, Google, Yahoo and Skype, said Comodo Security on March 23. The
certificates were revoked immediately and Comodo has not noticed any attempts
to use the certificates.

While it's
worrying that attackers were able to obtain a trusted certificate for a domain
not under their control, it was only a small step in a larger attack, Brian
Trzupek, Trustwave's vice president of managed identity and SSL, told eWEEK.
Even with the certificates in hand, they would have still needed to tamper with
the domain name server infrastructure to direct users to the malicious site
holding the fraudulent certificate before they could have done any harm,
according to Trzupek.

According to
Comodo's incident report, attackers requested nine certificates, but definitely
received only one before the account was suspended. Comodo was not clear
whether the attackers ever received the remaining certificates. The March 15
breach was detected fairly quickly, so by the time the attackers got around to
testing one of the certificates, it had already been revoked, according to
Comodo.
The first step
in this complicated attack required attackers to somehow compromise a Comodo
trusted partner in Southern Europe, Comodo said. While Comodo didn't specify
the nature of the data breach, the partner had several login credentials to
other online accounts stolen, as well, Comodo wrote in its blog post.
"It is likely
that this cert type was combined with another attack vector to allow the
attacker to gain access to the certificate," Trzupek said.

The certificates
themselves were not the ultimate goal. One of the domains the attacker targeted
was the Mozilla Firefox add-on update server. Once users were redirected to the
malicious site, the attackers could have injected arbitrary code into the Web
browser or conned users looking for Firefox plug-ins that downloaded Trojans or
key-loggers from the fraudulent site, Trzupek said. That would have been the
final payoff for the attackers, whether it's gaining access to financial
accounts, data theft or compromising the host machine, Trzupek said.
Comodo also
noted that the targeted domains would have been of "greatest use" to a
government attempting surveillance of Internet use by dissidents, especially
considering the recent turmoil in North Africa and the Persian Gulf region.
The issued SSL
certificate is generally a "domain validation only" certificate, Trzupek said.
These types of certificates usually undergo automated validation where human
review does not occur, he said.
While this
attack affected only the Comodo certificate authority and not others, this
could have had bigger implications as all Web browsers that trust Comodo as a
root authority would have been affected, said Trzupek. For example, Comodo
is included as a trusted root certification authority on all supported
versions of Microsoft Windows.
Users should
make sure to be on modern and fully updated browsers, as well as ensure they
have not disabled CRL (Certificate Revocation List) or OCSP (Online Certificate
Status Protocol) security checks in the browser.